As we mentioned earlier, we contacted Michael Schierl, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.

Patch request:

Interim patch with the source code of the patched class. See the Readme of the patch in the previous post (thanks to Michael Schierl).

Email from your company email address to admin <at> deependresearch.org and explain the planned use, please.

The cat is out of the bag. There is 0-day out there currently being used in targeted attacks. The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from or was found in the wild and added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.

The purpose of this post is not to provide the vulnerability analysis or samples but to offer additional information that may help prevent infections on some targeted networks. We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or exploit packs and we think that revealing technical vulnerability details in the form of a detailed technical analysis is dangerous, while releasing working exploits before the patch is vain and irresponsible.

Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it time.

I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article. As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

Excerpt:The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks – including the Bank of Beirut, Byblos Bank and Fransabank.

In Israel and the Palestinian Territory, 750 incidents have been recorded." (Kaspersky)

Thursday, August 9, 2012

Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.

The hallmark ListView2, 1, 1, MSComctlLib, ListVieware clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password

8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted by different AV vendors but this signature detects other malicious password protected documents - it is not limited to this 8861 generator files.

Yara Signatures: You can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google GroupIDS: Emerging threats IDS signatures - see below.

- Same file structure

They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page

Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls)

The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation

Targets are in different countries - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

Friday, August 3, 2012

Andre' DiMino posted an excellent analysis of Cridex banking malware using Volatility on sempersecurus.blogspot.comand if you wish to repeat his steps or interested in this malware, I am posting the corresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying exe files in zipped attachments) and Blackhole Exploit kit.
The messages have various themes - from UPS, Fedex, USPS to Groupon deals and "HP-scan" and other lures. Some message screenshots and corresponding malware are posted below.

If you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility, Mandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)

Thursday, August 2, 2012

Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge www.htbridge.com (High-Tech Bridge CVE Acreditation)

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.